Home page logo
/

nmap-dev logo Nmap Development mailing list archives

[NSE patch] patch for print_debug calls in scripts without proper formatstring
From: Sven Klemm <sven () c3d2 de>
Date: Mon, 25 Aug 2008 09:58:11 +0200

Hi,

the stdnse.print_debug() function unlike the normal lua print() function expects a format specifier similar to string.format(). There are a few scripts which pass non-static data directly to print_debug leading to "format string vulnerabilities". When lua encounters any % with unknown conversion specifier or any conversion specifier with unmatched argument given to the print_debug() call script execution will stop.

The attached patch fixes the affected scripts.

Cheers,
Sven

--
Sven Klemm
http://cthulhu.c3d2.de/~sven/

Index: scripts/SQLInject.nse
===================================================================
--- scripts/SQLInject.nse       (revision 9714)
+++ scripts/SQLInject.nse       (working copy)
@@ -240,8 +240,7 @@
        end
 
        if #injectable > 0 then
-               stdnse.print_debug(1, id .. ": Testing " .. #injectable .. 
-                                      " suspicious URLs")
+               stdnse.print_debug(1, "%s: Testing %d suspicious URLs", id, #injectable )
        end
 
        -- test all potentially vulnerable queries
Index: scripts/bruteTelnet.nse
===================================================================
--- scripts/bruteTelnet.nse     (revision 9714)
+++ scripts/bruteTelnet.nse     (working copy)
@@ -65,8 +65,7 @@
                 end
 
                i = i + 1
-               stdnse.print_debug(3, id .. " " .. 
-                                 userpass[i-1][1] .. ":" .. escape_cred(userpass[i-1][2]))
+               stdnse.print_debug(3, "%s %s:%s", id, userpass[i-1][1], escape_cred(userpass[i-1][2]))
                return userpass[i-1][1], userpass[i-1][2]
        end
 end
Index: scripts/showHTMLTitle.nse
===================================================================
--- scripts/showHTMLTitle.nse   (revision 9714)
+++ scripts/showHTMLTitle.nse   (working copy)
@@ -37,7 +37,7 @@
        if data.status == 301 or data.status == 302 then
                local url = url.parse( data.header.location )
                if url.host == host.targetname or url.host == ( host.name ~= '' and host.name ) or url.host == host.ip 
then
-                       stdnse.print_debug("showHTMLTitle.nse: Default page is located at " .. url.scheme.. "://" .. 
url.authority .. url.path)
+                       stdnse.print_debug("showHTMLTitle.nse: Default page is located at %s://%s%s", url.scheme, 
url.authority, url.path)
                        data = http.get( host, port, url.path )
                end
        end
Index: scripts/SMTPcommands.nse
===================================================================
--- scripts/SMTPcommands.nse    (revision 9714)
+++ scripts/SMTPcommands.nse    (working copy)
@@ -80,7 +80,7 @@
     resultEHLO = try(socket:receive_lines(1))
    
     if not (string.match(resultEHLO, "^250")) then
---        stdnse.print_debug("1",resultEHLO)
+--        stdnse.print_debug("1","%s",resultEHLO)
 --        stdnse.print_debug("1","EHLO with errors or timeout.  Enable --script-trace to see what is happening.")
         resultEHLO = ""
     end
@@ -100,7 +100,7 @@
     resultHELP = try(socket:receive_lines(1))
    
     if not (string.match(resultHELP, "^214")) then
---        stdnse.print_debug("1",resultHELP)
+--        stdnse.print_debug("1","%s",resultHELP)
 --        stdnse.print_debug("1","HELP with errors or timeout.  Enable --script-trace to see what is happening.")
         resultHELP = ""
     end

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault